Bug 911685 (CVE-2013-0342)

Summary: CVE-2013-0342 python-pyrad: CreateID() creates serialized packet IDs for RADIUS
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lemenkov, npmccallum
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 11:00:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 894488, 911687    
Bug Blocks:    

Description Vincent Danen 2013-02-15 16:12:02 UTC 
Nathaniel McCallum reported that pyrad was creating serialized RADIUS packet IDs in the CreateID() function in packet.py.  This is not suitable for RADIUS as the RFC specifies that the ID must not be predictable.  As a result, the ID of the next packet sent can be spoofed.

This has been corrected in upstream's forthcoming version 2.1 via:

https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5
Comment 1 Vincent Danen 2013-02-15 16:13:20 UTC 
Created python-pyrad tracking bugs for this issue

Affects: fedora-all [bug 894488]
Affects: epel-all [bug 911687]
Comment 2 Vincent Danen 2013-02-20 17:11:38 UTC 

*** This bug has been marked as a duplicate of bug 911682 ***
Comment 3 Nathaniel McCallum 2013-02-20 22:56:31 UTC 
The above patch does not apply to this issue as this issue is NOT a duplicate of bug 911682.
Comment 4 Vincent Danen 2013-02-20 23:04:31 UTC 
Why is that?

If I look at the patch, I see the change to CreateID() on line 226/229 from using random.randrange() to random_generator.randrange().  Is that not the fix for this issue?

That is the only upstream patch applied in the last year and a half.
Comment 5 Nathaniel McCallum 2013-02-21 15:34:10 UTC 
See: https://github.com/wichert/pyrad/blob/38f74b36814ca5b1a27d9898141126af4953bee5/pyrad/packet.py#L518

There are two CreateID() codepaths. One generates a random ID and the other generates a sequential ID. Neither checks for uniqueness.

To be fair, this predictability is only exploitable in the presence of another security problem. So the issue is minor and it would require a major upstream API rework. I don't know if upstream will accept any patch to fix this or even consider this a bug. Bug 911682 is far more serious.

I'm not sure how the CVE for this bug should be handled.
Comment 6 Vincent Danen 2013-02-21 23:13:16 UTC 
Ok, I see it now.  Your initial report wasn't clear enough (pointing to actual code snippets instead of function names (when there are two identical) would have helped.

This is a bit messy now.  We did have two CVEs assigned, and MITRE rejected one based on their assumption (and my own) of that patch correcting both flaws.  I'll have to see if we can use the old one or if we need a new one again.

I've requested it on oss-sec now: http://www.openwall.com/lists/oss-security/2013/02/21/27
Comment 7 Vincent Danen 2013-02-22 17:05:57 UTC 
CVE-2013-0342 was assigned to this issue:

http://www.openwall.com/lists/oss-security/2013/02/22/2
Comment 8 Product Security DevOps Team 2019-06-10 11:00:06 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.